---
title: Rootkits
course: intro_pentest
section: "Maintaining Access with Backdoors and Rootkits"
layout: lesson
---

Just like Metasploit, when people are first exposed to the power and cunning of
rootkits, they are usually amazed. To the uninitiated, rootkits appear to have
an almost black-magic-like quality. They are usually simple to install and can
produce amazing results. Running a rootkit gives you the ability to hide files,
processes and programs as if they were never installed on the computer. Rootkits
can be used to hide files from users and even the operating system itself.

Because rootkits are so effective at hiding files, they will often be successful
at evading even the most finely tuned antivirus software. The name rootkit is
typically said to be a derivative of the words “root”, as in root-level or
administrative access and the “kit” or collection of tool that were provided by
the software package.

As we already mentioned, rootkits are extremely stealthy. They can be used for a
variety of purposes including escalating privileges, recording keystrokes,
installing backdoors and other nefarious tasks. Many rootkits are able to avoid
detection because they operate at a much lower level of the operating system
itself, inside the kernel. The software that users typically interact with
functions at a higher-level of the system. When a piece of software like an
antivirus needs to perform a particular task, it’ll often pass the request off
to the lower levels of the operating system to complete the task. Remember, some
rootkits live deep inside the operating system. They can also work by “hooking”
or intercepting these various calls between the software and operating system.

By hooking the request from a piece of software, the rootkit is able to modify
the normal response. Consider the following example: assume that you want to see
what processes are running on a Windows machine. To accomplish this, most users
will depress the key combination “CTRL+ALT+DEL”. This will allow the user to
start the Task Manager and view running processes and services. Most people
perform this task without thinking about it. They examine the process list
presented and move on.

While the follow is a gross oversimplification, it should serve as an example to
help you understand the basics. In this case, software is makig a call to the
operating system and asking what processes or services are running. The
operating system queries all the running programs it’s aware of and returns the
list. However, if we add a rootkit to the mix, things get a little more
complicated. Because rootkits have the ability to intercept and modify the
responses returned by the operating system, when a user attempts to view the
process list, the rootkit can simply remove selected programs, services and
processes from the list. This happens instantaneously and the user is not aware
of any differences. The program itself is actually functioning perfectly. It’s
reporting exactly what it was told by the operating system. In many senses of
the word, the rootkit is causing the operating system to lie.

It’s important to point out that a rootkit is not an exploit. Rootkits are
something that is uploaded to a system after the system has been exploited.
Rootkits are usually used to hide files or programs and maintain stealthy
backdoor access.
